Category Archives: scareware

We are seeing the criminals behind fake anti-virus continuing to customize their social engineering attacks to be more believable to users and presumably more successful.

Last week I wrote about fake Firefox malware warnings leading users to rogue security software. This week they've started to imitate Microsoft Update.

The page is nearly an exact replica of the real Microsoft Update page with one major exception... It only comes up when surfing from Firefox on Windows. The real Microsoft Update requires Internet Explorer.

The same site was also hosting the traditional Windows XP explorer scanner we have seen for years, as well as a new Windows 7 scanner.

Similar to spam messages that have corrected their grammar and use correct imagery and CSS, the attackers selling fake anti-virus are getting more professional.

They use high quality graphics and are using information from our UserAgent strings that are sent by the browser to customize your malware experience.

Just like visiting your bank you should only trust security alerts in your browser if you initiated a check with Microsoft, Adobe, Sophos or any other vendor for updates to their software.

Purveyors of fake security software don't let much grass grow under their feet and continually make improvements to their social engineering lures.

While most of the talk for the past month has been their move to Mac with fake Finder pop-ups that appear to scan your computer, they haven't stopped innovating on Windows either.

Their latest scam? They detect your user-agent string from your web browser and display a fake Firefox security alert if you are using the Mozilla Firefox web browser.

Internet Explorer users get the standard "My Computer" dialog that appears to do a system scan inside their browser window.

Taking advantage of detailed information about the person's computer and software allows for a much more specific, believable social engineering attempt.

We are likely to continue to see these criminals targeting each operating system, browser and any other details that can be gleaned from HTTP requests sent from our devices.

If you click the "Start Protection" button you will download the latest, greatest fake anti-virus program which will perform exactly the way you would expect a fake anti-virus program to.

It will faithfully detect fake viruses on your computer until you register it for $80 or more.

If you are a Firefox user and see a warning about viruses on your computer, you will know it is fake. Firefox does not include a virus scanner inside of it and it will only warn you about visiting malicious pages.

If you get a warning about a dangerous website from Firefox you can always play it safe... Close the browser.

ZDNet writer Ed Bott has today published a fascinating conversation with an AppleCare support rep on the subject of Mac malware.

For reasons which will become obvious when you read the interview, the Apple support rep has chosen to remain anonymous. Chances are that if he hadn't kept his identity secret that he would be thrown out of the company pretty quickly.

According to Bott's source at Apple, AppleCare's call volume is "4-5 times higher than normal" and the overwhelming majority of calls come from Apple customers who have been hit by the current spate of fake anti-virusattacks on the Mac OS X platform.

The Mac Defender fake anti-virus attack, and its variously named variants, are becoming common problems it seems:

It started with one call a day two weeks ago, now it’s every other call. It’s getting worse. And quick.

Perhaps most astonishingly, the interview reveals that Apple's official policy is that representatives are "not supposed to help customers remove malware from their computer."

The reason for the rule, they say, is that even though Mac Defender is easy to remove, we can't set the expectation to customers that we will be able to remove all malware in the future. That's what antivirus is for.

Although the support rep does admit that he often ignores corporate policy and help customers remove infections, he does acknowledge that this could get him into trouble if it comes to the attention of higher management.

But I can sympathise with the support rep, as it's hard to justify refusing to help a user with an infected Mac when it is using scare tactics and unsavoury pop-up windows to hoodwink them into handing over their credit card details for a "fix".

As the AppleCare support rep describes:

Well, I’m sure you’re aware of what Mac Defender pops up on your screen if you don’t buy it. Last call i got before the weekend was a mother screaming at her kids to get out of the room because she didn’t want them seeing the images. So, panicking, yes, I’d say that would be the situation usually. I had a teacher call about Mac Defender last week.

New versions of the latest malware to hit Mac OS X users have come to light, following the discovery earlier this week of fake anti-virus attacks being spread by SEO poisoning.

Fake anti-virus (also known as scareware or rogueware) is commonly seen on Windows computers, of course, but until now has been rarely encountered on the Apple Mac platform.

The new variants, seen by SophosLabs, are calling themselves "Mac Security" rather than their previous disguise of pretending to be "MacDefender" (which, incidentally, is the name of a genuine security product for the Mac - adding to the confusion).

When I ran the fake anti-virus on a test machine it claimed that a number of innocent files, including Mozilla Firefox, were infected by viruses and told me I would have to register the program in order to cleanup the "infections".

It's precisely these kinds of scare tactics which are regularly used by Windows-based fake anti-virus attacks to hoodwink innocent users into handing over their credit card details. Clearly whoever is responsible for this latest spate of attacks believes that there are rich pickings to be made from Mac users too.

Sophos detects the latest variants as OSX/FakeAV-DOE, and as we continue to encounter more waves of this attack we will enhance our detection to protect Mac users.

If you're not a Sophos customer, but have a Mac at home, you can protect your Mac right now if you download our free anti-virus. It's automatically updated to protect against the latest threats.